Maintaining control over application data is a long-standing problem for which certain solutions have been developed. Unfortunately, these solutions have not been widely adopted because they do not address fundamental technical and/or market requirements in acceptable ways. Some systems have relied upon operating-system based access controls in order to protect the information; these types of systems may be incapable of effectively operating in a distributed, semi-connected operating environment, and may be further limited in their ability to provide a set of common enforcement controls if operating on disparate computer systems. To circumvent these limitations, some systems have focused on the persistent protection of the data itself (e.g., digital rights management). Some of these techniques focus on protecting data using encryption and enforcing controls by managing access to the decryption keys required to access the data. Digital rights management (DRM) type systems have well-known problems and limitations surrounding key management, use of the data for non-DRM enabled applications (e.g., requiring application modification), and of data leakage (either intentional or unintentional) once the data is decrypted and made available to the application.
Some known systems have implemented data controls by restricting the movement of the data inter- and intra-device using physical or logical limitations upon data movement. These approaches may be implemented using a variety of techniques, such as discretionary and mandatory access controls. Access control techniques may operate at the file level (and not the record level, which may limit their usefulness to manage collections of data records), may be limited to restricting classes of access to the information (initial access, read, write, delete), and may require a common trusted control infrastructure so the control definitions are distributed and enforced consistently between devices. These limitations may restrict the type and granularity of protection, may require deployment architectures where there are trusts established between devices, and may not protect against information leakage at the application level. Refinements of these systems, such as compartmented multi-user workstations, extend these techniques for additional granularity, but suffer the same limitations in managing the control of information between systems.
Other systems may require control aware applications. Control aware applications include techniques that wrap applications, or provide a library which application writers may use. These systems may not be able to use unmodified applications and enforce data controls on either an intra- and inter-device basis. Other approaches for implementing more granular data control may include tainting-based techniques, which may associate one or more tags with specific data, tracks these tags with the data wherever the data is moved within the device, and inhibit or permit actions based upon the tags present with a specific piece of data. Tainting-based approaches may be limited to the boundaries of a single device.